Symantec atones for church spyware mistake

Many Church of England vicars use a software tool called Visual Liturgy to plan, create and deliver church services. On July 8, Symantec issued a new virus definition that had "a significant detrimental effect on Visual Liturgy," according to Church House Publishing, the publishing arm of the Church of England.

As first reported by ZDNet UK on Thursday, Norton Antivirus wrongly identified a file integral to Visual Liturgy as Sniperspy, a piece of spyware. After receiving the update, users were prompted to accept the Sniperspy threat warning and delete the file, called vlutils.dll. This rendered Visual Liturgy useless.

CHP confirmed that Symantec has now fixed this problem.

"We have spoken to several users and one or two of our beta tester users, who usually are clergy with a background in IT prior to ordination. They have confirmed that Norton and Visual Liturgy are now functioning normally. So it does appear that, yes, Symantec has fixed the issue," said David Green, outgoing new media manager for Church House Publishing.

Church House says that it took Symantec nearly four weeks to address the situation. Symantec, though, claims the fix was made available the day after it received a false positive report from Church House, filed July 10.

"Having reviewed the query, the issue was addressed and a response was sent to CHP on July 11, advising them to run Live Update and respond to confirm that this rectified the signature and corrected this issue," a Symantec representative told ZDNet UK.

E-mail purgatory
However, Church House denied having received this e-mail from Symantec on July 11.

"We have absolutely no record of any e-mail from (Symantec) in the days that followed the complaint," Green told ZDNet UK. "We recognize that while spam filters may have blocked their response or we may have dropped the ball in the communication process, we have checked our systems and can still find no record."

The wider issue, Green argues, is that Symantec said it would take up to four weeks to fix the problem.

"Either they are getting far too many false positives, or they are very slow at sorting them out. It took four weeks to sort this out. For a software publisher, that's...a lot of support calls and reputational damage while they sort out their mistake."

Despite the disruption suffered by Church House and its users, the company is not planning to bring legal action against Symantec.

"We discussed whether it was worth engaging a legal team to recover the damage, but decided it wouldn't be a good use of Church funds, and we didn't feel like a big enough company to take Symantec on.

"We would rather leave it as a decision for Symantec as to whether they make a donation to church funds," said Green.

ZDNet UK asked Symantec whether it intends to offer any compensation, but the company has not yet responded to that inquiry.

Symantec said its security response team is contacting Church House directly to ensure that they are not having any further problems.

Church House itself doesn't bear a grudge.

"Ultimately, we are glad to see that they have fixed the issue just within the four week deadline that they set themselves, and we wish Symantec all the best and better insight in successfully identifying malware in the future," said Thomas Allain-Chapman, the head of publishing at Church House.